Encryption method used if VPN connection type is Automatic. If you configure a VPN connection for an Automatic server type (the default), the connection first tries to use PPTP and its associated MPPE encryption, and then it tries to use L2TP and its associated IPSec encryption. If you configure the VPN connection to connect to a PPTP server, only MPPE encryption is used. If you configure the VPN connection to connect to an L2TP server, only IPSec encryption is used.

No encryption needed for link to ISP. For VPN connections, you do not need to use encryption for the link between your site and the ISP, because no data is transmitted during the process that establishes this connection. After the connection to the ISP is made, the data that passes between the calling and answering routers is encrypted as it passes through the VPN tunnel.

You configure MPPE and IPSec encryption strengths on the Encryption tab for the properties of a remote access policy. For information about how to configure encryption in a remote access policy for a site-to-site connection, see "Configure a Remote Access Policy" later in this chapter. For general information about configuring encryption, see Add a remote access policy and Remote Access Policies Examples in Help and Support Center for Windows Server 2003.

Configure either MPPE or IPSec to use one of the encryption keys as shown in Table 10.7.

Table 10.7 Encryption Strength by Connection Type

Encryption Strength

Dial-up or PPTP

L2TP/IPSec

Basic

40-bit MPPE

56-bit DES

Strong

56-bit MPPE

56-bit DES

Strongest

128-bit MPPE

3DES (three 56-bit keys)

Note

Windows NT 4.0 with the 128-bit version of Service Pack 4 (SP4) can support 128-bit MPPE, but it does not support 56-bit MPPE. Therefore, any Windows operating system earlier than Windows NT 4.0 SP4 is not recommended, because security enhancements for MS-CHAP and MPPE are not included.